Archive for the ‘Website Security’ Category

Star Wars and Spambots

Ever see Star Wars?  Of course you have.  Remember C-3Po, the annoying robot nobody wanted showing up to the party?  Of course you do.  I mean, come on, it’s Star Wars.  How could you forget.

Well, if you have a website with a form on it, you likely have become acquainted with one of C-3P0’s distant relatives.   You know what I’m talking about, you see a form submission that looks something like this:

Name: owihe0wlerjlwrrwer
Email: iru98uououou
Comments: wooeoeirororwieoirj

Yep, you have been visited by a spambot – impossible to avoid on standard web forms.  At some point they find you and start submitting random gibberish junk that makes about as much sense as R2-D2’s bleeps and blips.

You have probably seen CAPTCHA fields on forms where you are required to type in some random letters or words before you can submit a form?  These are used to keep the spambots out as the spambot, lacking the intellect of C-3P0 (I think it is a product of robot inbreeding), can’t reason with a CAPTCHA entry box, only a human can.  Problem is, humans tend to hate CAPTCHA fields.

You can add a CAPTCHA field but by default we don’t do this for our clients, since humans don’t like entering CAPTCHA fields, it can reduce the number of submissions you get. Also, we don’t use CAPTCHA fields on our forms for our own site, so we get a few of these spambot entries each day.  We just trash them as our time to trash a couple a day is worth the few legit ones here or there that we may not have gotten else-wise.

This is not to totally rule out CAPTCHA fields.  If you are having security hack attempts happening, then it can make sense to tighten down the site – which is why you see CAPTCHA fields on high profile sites.

If the spambot is coming from one or just a few IP addresses, you can also look at IP blocking to keep the offending bot away.  But again, it is usually easiest to just delete the spam.

Advertisements

Website Security – Is Your SSL Certificate Up to Date

Repost from my November 2007 eNewsletter: 

“Do you have an e-commerce website?  Do you collect any financially or privacy sensitive data?  If so, make sure your SSL certificate is up-to-date and working.  An SSL certificate encrypts the data sent from your website, such as online orders a customer has placed.  Without encryption from an SSL certificate, this data can be more easily hi-jacked by a hacker and pose serious liability to your company.  Typically, your SSL certificate will come up for renewal on a yearly basis.  Common providers of SSL certificates are Verisign, Thawte, Entrust and GoDaddy.

 

Not sure if you have, or need, an SSL certificate for your website?  If so, call me ASAP at 1-800-709-3240 or (352) 732-7700.”